Latest Threats

2017 Annual Security Roundup

The top security events of the past year make this apparent — and their repercussions make the implementation of smart protections all the more important.View the 2017 Annual Security Roundup

2018 SECURITY PREDICTIONS

Today's increasingly interconnected environments pave the way for threats that will bank on systems' weaknesses for different forms of cybercrime. How can you prepare for the year ahead?View the 2018 Security Predictions

What is Ransomware?

Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files unless a ransom is paid. More modern ransomware families, collectively categorized as crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key.

Ransom Prices and Payment

Ransom prices vary depending on the ransomware variant and the price or exchange rates of digital currencies. Thanks to the perceived anonymity offered by cryptocurrencies, ransomware operators commonly specify ransom payments in bitcoins. Recent ransomware variants have also listed alternative payment options such as iTunes and Amazon gift cards. It should be noted, however, that paying the ransom does not guarantee that users will get the decryption key or unlock tool required to regain access to the infected system or hostaged files.

Ransomware Infection and Behavior

Users may encounter this threat through a variety of means. Ransomware can be downloaded onto systems when unwitting users visit malicious or compromised websites. It can also arrive as a payload either dropped or downloaded by other malware. Some ransomware are known to be delivered as attachments from spammed email, downloaded from malicious pages through malvertisements, or dropped by exploit kits onto vulnerable systems.

Once executed in the system, ransomware can either lock the computer screen, or, in the case of crypto-ransomware, encrypt predetermined files. In the first scenario, a full-screen image or notification is displayed on the infected system's screen, which prevents victims from using their system. This also shows the instructions on how users can pay for the ransom. The second type of ransomware prevents access to files to potentially critical or valuable files like documents and spreadsheets.

Ransomware is considered "scareware" as it forces users to pay a fee (or ransom) by scaring or intimidating them. In this sense, it is similar to FAKEAV malware, but instead of capturing the infected system or encrypting files, FAKEAV shows fake antimalware scanning results to coax users into purchasing bogus antimalware software.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:

The History and Evolution of Ransomware

Early Years

Cases of ransomware infection were first seen in Russia between 2005 – 2006. Trend Micro published a report on a case in 2006 that involved a ransomware variant (detected as TROJ_CRYZIP.A) that zipped certain file types before overwriting the original files, leaving only the password-protected zip files in the user’s system. It also created a text file that acted as the ransom note informing users that the files can be retrieved in exchange for $300.

In its earlier years, ransomware typically encrypted particular file types such as DOC, .XLS, .JPG, .ZIP, .PDF, and other commonly used file extensions.

In 2011, Trend Micro published a report on an SMS ransomware threat that asked users of infected systems to dial a premium SMS number. Detected as TROJ_RANSOM.QOWA, this variant repeatedly displayed a ransomware page to users until they paid the ransom by dialing a certain premium number.

Another notable report involved a ransomware type that infects the Master Boot Record (MBR) of a vulnerable system, preventing the operating system from loading. To do this, the malware copies the original MBR and overwrites it with malicious code. It then forces the system to restart so the infection takes effect and displays the notification (in Russian) once the system restarts.

View infographic: Ransomware 101 - What, How, & Why

Ransomware Spreads Outside Russia

Ransomware infections were initially limited to Russia, but its popularity and profitable business model soon found its way to other countries across Europe. By March 2012, Trend Micro observed a continuous spread of ransomware infections across Europe and North America. Similar to TROJ_RANSOM.BOV, this new wave of ransomware displayed a notification page supposedly from the victim’s local police agency instead of the typical ransom note (see Reveton, Police Ransomware below).

During this period, different tactics were being used to spread ransomware. A case in 2012 involved a popular French confectionary shop’s website that was compromised to serve TROJ_RANSOM.BOV. This watering hole tactic resulted in widespread infections in France and Japan, where the shop also had a significant fan-base. Instead of the usual ransom note, TROJ_RANSOM.BOV displayed a fake notice from the French police agency Gendarmerie Nationale.

HIDE

The Rise of Reveton and Police Ransomware

Reveton is a ransomware type that impersonates law enforcement agencies. Known as Police Ransomware or Police Trojans, these malware are notable for showing a notification page purportedly from the victim’s local law enforcement agency, informing them that they were caught doing an illegal or malicious activity online.

To know which local enforcement agency is applicable to users, Reveton variants track the geographical location of their victims. Thus, affected users living in the US receive a notification from the FBI while those located in France are shown a notice from the Gendarmerie Nationale.

Reveton variants also employ a different payment method compared to early ransomware attacks. Once a system is infected with a Reveton variant, users are prompted to pay through UKash, PaySafeCard, or MoneyPak. These payment methods afford ransomware perpetrators anonymity, as both Ukash and PaySafeCard have a faint money trail.

In 2012, different types of Reveton variants were seen exhibiting new techniques. During the latter part of that year, Trend Micro reported on variants that played an audio recording using the victim’s native language, and another one bearing a fake digital certificate.

The Evolution to CryptoLocker and Crypto-ransomware

In late 2013, a new type of ransomware emerged that encrypted files, aside from locking the system. The encrypted files ensured that victims are forced to still pay the ransom even if the malware itself was deleted. Due to its new behavior, it was dubbed as “CryptoLocker”. Like previous ransomware types, crypto-ransomware demands payment from affected users, this time for a decrypt key to unlock the encrypted files.

Although the ransom note in CryptoLocker only specifies “RSA-2048” as the encryption method used, analysis shows that the malware uses AES + RSA encryption.

RSA is asymmetric key cryptography, which means it uses two keys. One key is used to encrypt the data and another is used to decrypt the data (one key, called the public key, is made available to any outside party; the other is kept by the user and is called the private key.) AES uses symmetric keys, which uses the same key to encrypt and decrypt information.

The malware uses an AES key to encrypt files. The AES key for decryption is written in the files encrypted by the malware. However, this key is encrypted with an RSA public key embedded in the malware, which means that a private key is needed to decrypt it.

Further research revealed that a spam campaign was behind the CryptoLocker infections. The spammed messages contained malicious attachments belonging to TROJ_UPATRE, a malware family characterized by its small file size and simple downloading function. It downloads a ZBOT variant, which then downloads the CryptoLocker malware.

Near the end of 2013, a new variant of CryptoLocker emerged —with propagation routines. This variant, detected as WORM_CRILOCK.A, can spread via removable drives, a routine unheard of in other CRILOCK variants. This means that the malware can easily spread compared to other variants. The new variant doesn’t rely on downloader malware like CRILOCK to infect systems; rather, it pretends to be an activator for software used on peer-to-peer (P2P) file sharing sites. Technical differences have led some researchers to believe this malware was produced by a copycat.

Another file-encrypting ransomware type soon came into the picture. The crypto-ransomware known as CryptoDefense or Cryptorbit (detected as TROJ_CRYPTRBIT.H) encrypts database, web, Office, video, images, scripts, text, and other non-binary files, deletes backup files to prevent restoration of encrypted files, and demands payment for a decrypt key for the locked files.

The Foray into Cryptocurrency Theft

Ransomware soon began to incorporate yet another element: cryptocurrency (e.g., Bitcoin) theft. In 2014, Trend Micro saw two variants of a new malware called BitCrypt. The first variant, TROJ_CRIBIT.A, appends “.bitcrypt” to any encrypted files and displays a ransom note in English. The second variant, TROJ_CRIBIT.B , appends the filename with “.bitcrypt 2″ and uses a multilingual ransom note in 10 languages. CRIBIT variants use the encryption algorithms RSA(426)-AES and RSA(1024)-AES to encrypt the files, and specifies that the payment for unlocking files be made in Bitcoins.

It was discovered that a variant of the FAREIT information stealing malware, TSPY_FAREIT.BB, downloads TROJ_CRIBIT.B. This FAREIT variant can steal information from various cryptocurrency wallets, including wallet.dat(Bitcoin), electrum.dat (Electrum), and .wallet (MultiBit). These files contain important information such as transaction records, user preferences, and accounts.

The Angler Exploit Kit

In 2015, the Angler exploit kit was one of the more popular exploit kits used to spread ransomware, and was notably used in a series of malvertisment attacks through popular media such as news websites and localized sites. Angler was constantly updated to include a number of Flash exploits, and was known for being used in notable campaigns such as the Hacking Team leak and Pawn Storm. Because of its easy integration, Angler remains a prevalent choice as a means to spread ransomware.

POSHCODER: PowerShell Abuse

A new variant of Ransomware and Cryptolocker threats surfaced that leverages the Windows PowerShell feature to encrypt files. Trend Micro detects this as TROJ_POSHCODER.A. Windows PowerShell is a built-in feature in Windows 7 and higher. Cybercriminals often abuse this feature to make threats undetectable on the system and/or network.

POSHCODER uses AES encryption and an RSA 4096 public key to encrypt the said AES key. Once all files on the infected system are encrypted, it displays the following image:

Ransomware Infects Critical Files

While crypto-ransomware may have become popular with cybercriminals, this doesn’t mean that other types of ransomware disappeared from the landscape. Police ransomware was still observed locking screens of infected computers with this screen:

What makes this particular ransomware different from other police ransomware is that it rides on patched malware to infect systems. Patched malware is any legitimate file that has been modified (via addition or injection) with malicious code. Modifying a legitimate file can be advantageous to cybercriminals as the rate of execution of malicious code will depend on the infected file’s frequency of use.

This ransomware is also notable for infecting user32.DLL, a known critical file. Infecting a critical file can be considered an evasion technique as it can help prevent detection by behavioral monitoring tools due to whitelisting. Additionally, cleaning critical files such as user32.DLL requires extra care as one misstep can crash a system, which could be seen as a possible obstacle for cleaning tools.

The infected user32.DLL performs a chain of routines that ends with the ransomware being loaded. It also locks the infected computer's screen and projects a “ransom” image, similar to previous police ransomware messages.

Within a couple of years, ransomware has evolved from a threat that targeted Russian users to an attack that spread to several European and North American countries. With a profitable business model and a payment scheme that affords anonymity for its operators, ransomware development is expected to accelerate over the coming years. Thus, it is crucial for users to know how ransomware works and how to best protect themselves from this threat.

Ransomware Evolved: Modern Ransomware

After the shift to crypto-ransomware, the extortion malware has continued to evolve, adding features such as countdown timers, ransom amounts that increase over time, and infection routines that enable them to spread across networks and servers. The latest developments show how threat actors are experimenting with new features, such as offering alternative payment platforms to make ransom payments easier, routines that threaten to cause potentially crippling damage to non-paying victims, or new distribution methods.

CERBER (RANSOM_CERBER.A) – When it was first seen in early March 2016, CERBER was notable for having a ‘voice’ feature that reads out the ransom message. CERBER was also found to have a customizable configuration file that allows distributors to modify its components—a feature common for malware that's being sold in underground markets. CERBER is also notorious for being used in an attack that potentially exposed millions of Microsoft Office 365 users to the infection.

SAMSAM (RANSOM_CRYPSAM.B) – Discovered in March 2016, SAMSAM is installed after the attackers exploit vulnerabilities on unpatched servers—instead of the usual malicious URLs and spam emails—and uses these to compromise other machines.

JIGSAW (RANSOM_JIGSAW.I) – The first JIGSAW variant seen in April 2016 mixed effective scare tactics with an innovative routine. Featuring imagery from the Saw movie franchise, Jigsaw's ransom note features a countdown timer to pressure its victims into paying—with a promise to increase the ransom amount while deleting portions of the encrypted files every time the timer runs out. Recent Jigsaw variants also featured a chat support feature that allows victims to contact the cybercriminal.

The Biggest Attack to Date

Though ransomware routines are not altogether new, they still work and so are still used by operators. Case in point: ransomware variant WannaCry/WCRY, which originally spread via malicious Dropbox URLs embedded in spam, took an unexpected turn this May. It began exploiting a recently patched vulnerability in the SMB Server, thus resulting in the biggest ransomware attack to date.

Even before WannaCry reared its ugly head, companies and individuals worldwide have already been suffering the threat’s dire consequences—all documented in our report, Ransomware: Past, Present, and Future. After just one year, we saw a staggering 752% increase in the number of ransomware families.

Regional distribution of ransomware threats from January 2016 to March 2017

The Future of Ransomware

It will not be surprising if ransomware change in a few years. In terms of potential, they can evolve into malware that disable entire infrastructure (critical not only to a business’s operation but also a city’s or even a nation’s) until the ransom is paid. Cybercriminals may soon look into approaches like hitting industrial control systems (ICS) and other critical infrastructure to paralyze not just networks but ecosystems. A key area that could become a bigger target for cybercriminals are payment systems, as seen with the Bay Area Transit attack in 2016 where the service provider’s payment kiosks were targeted with ransomware.

We have seen ransomware operators hit hospitals and transportation service providers. What would stop attackers from hitting even bigger targets like the industrial robots that are widely used in the manufacturing sector or the infrastructure that connect and run today’s smart cities? Online extortion is bound to make its way from taking computers and servers hostage to any type of insufficiently protected connected device, including smart devices, or critical infrastructure. The return on investment (ROI) and ease with which cybercriminals can create, launch, and profit from this threat will ensure it continues in the future.

The Bitcoin Connection

With the exception of some ransomware families that demand high amounts, ransomware variants typically ask for 0.5−5 Bitcoins (as of 2016) in exchange for a decrypt key. This is important for two reasons—some variants increase the ransom as more time elapses with nonpayment, and the Bitcoin exchange rate is on the rise. In January 2016, 1 BTC was worth US$431. Bitcoin's value has risen dramatically since then, topping out at US$1,082.55 at the end of March, 2017.

Ransomware Defense, Prevention, and Removal

Ransomware Defense

There is no silver bullet when it comes to stopping ransomware, but a multi-layered approach that prevents it from reaching networks and systems is the best way to minimize the risk.

For small and medium-sized businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and a real-time web reputation service that detects and blocks ransomware.

For home users, Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.

Ransomware Prevention:

Avoid opening unverified emails or clicking links embedded in them.

Back up important files using the 3-2-1 rule—create 3 backup copies on 2 different media with 1 backup in a separate location.

Regularly update software, programs, and applications to protect against the latest vulnerabilities.

List of Known Ransomware Families

First spotted early 2012; Encrypts files into a password-protected; Cybercriminals behind this ransomware asks payment thru Moneypak, Paysafe, or Ukash to restore the files and unlock the screen; Known as a multi-component malware packaged as a self-extracting (SFX) archive; May come bundled with third party applications such as Sdelete and WinRAR

ANDROIDOS_LOCKER

First mobile ransomware spotted; Uses Tor, a legitimate service that allows anonymous server connections; Users with mobile devices affected by this malware may find the files stored in their mobile device rendered useless and held for ransom

CRIBIT

BitCrypt

Similar to CRILOCK with its use of RSA-AES encryption for target files; Version 1 uses RSA-426; Version 2 uses RSA-1024; Appends the string bitcryp1 (for version 1) and bitcrypt2 (for version 2) to the extension name of the files it encrypts

CRILOCK

CryptoLocker

Employs Domain Generation Algorithm (DGA) for its C&C server connection; October 2013 - UPATRE was found to be the part of the spam mail that downloads ZBOT, which further downloads CRILOCK

CRITOLOCK

Cryptographic locker

Uses advanced encryption standard (AES-128) cryptosystem; The word Cryptolocker is written in the wallpaper it uses to change an affected computer's wallpaper

Encrypts data files; Ensures there is no recovery of encrypted files by deleting its shadow copies; Arrives via spam mail that contains an attachment, actually a downloader of this ransomware; Uses social engineering to lure users to open the attachment; Uses Tor to mask its C&C communications

CRYPDEF

CryptoDefense

To decrypt files, it asks users to pay ransom money in bitcoin currency

CRYPTCOIN

CoinVault

Encrypts files and demands users to pay in bitcoin to decrypt files; Offers a one-time free test to decrypt one file

CRYPTFILE

Uses unique public key generated RSA-2048 for file encryption and also asks users to pay 1 bitcoin to obtain private key for decrypting the files

CRYPWALL

CryptoWall, CryptWall, CryptoWall 3.0, Cryptowall 4.0

Reported to be the updated version of CRYPTODEFENSE; Uses bitcoin currency as mode of payment; Uses Tor network for anonymity purposes; Arrives via spam mail, following UPATRE-ZBOT-RANSOM infection chain; CryptoWall 3.0 comes bundled with FAREIT spyware; Cryptowall 4.0 encrypts file name of files it encrypts and follows an updated ransom note, it also comes from spam as a JavaScript attachment, and may be downloaded by TROJ_KASIDET variants

CRYPTROLF

Shows troll face image after file encryption

CRYPTTOR

Changes the wallpaper to picture of walls and asks users to pay the ransom

Arrives via spam email; Downloads BAT_CRYPTOR and its components such as a decoy document

VIRLOCK

VirLock, VirRansom

Infects document files, archives, and media files such as images

PGPCODER

Discovered in 2005; first ransomware seen

KOLLAH

One of the first ransomware that encrypts files using certain extension names; Target files include Microsoft Office documents, PDF files, and other files deemed information-rich and relevant to most users; Adds the string GLAMOUR to files it encrypts

KOVTER

Payload of the attack related to YouTube ads that lead to the Sweet Orange exploit kit

MATSNU

Backdoor that has screen locking capabilities; Asks for ransom

RANSOM

Generic detection for applications that restrict the users from fully accessing the system or encrypts some files and demands a ransom in order to decrypt or unlock the infected machine

REVETON

Police Ransom

Locks screen using a bogus display that warns the user that they have violated federal law; Message further declares the user's IP address has been identified by the Federal Bureau of Investigation (FBI) as visiting websites that feature illegal content

Archives files with specific extensions; Leaves a ransom text file containing the instructions on who to contact and how to unpack the archives containing user's files

CRYPWEB

PHP ransomware

Encrypts the databases in the web server making the website unavailable; Uses HTTPS to communicate with the C&C server; Decrypt key is only available in the C&C server

CRYPDIRT

Dirty Decrypt

First seen in 2013 before the emergence of Cryptolocker

CRYPTORBIT

Detection for images, text, and HTML files which contain ransom notes that are indicators of compromised (IOC)

CRYPTLOCK

TorrentLocker

Poses as CryptoLocker; newer variants display crypt0l0cker on the affected computer; uses a list of file extensions that it avoids encrypting, compared to usual ransomware that uses a list of file extensions to encrypt - this allows CRYPTLOCK to encrypt more files while making sure the affected computer still runs, ensuring users know that their files are encrypted and access to the Internet to pay the ransom is still present

User interface is similar to CryptoLocker; encrypts game-related files; Versions 2.1 and 2.2 appends encrypted files with .vvv and .ccc; Version 3.0 has an improved encryption algorithm and appends .xxx, .ttt, and .mp3 to files it encrypts

CRYPVAULT

VaultCrypt

Uses GnuPG encryption tool; downloads hacking tool to steal credentials stored in web browsers; uses sDelete 16 times to prevent/hinder recovery of files; has a customer support portal; is a batch script crypto-ransomware

CRYPSHED

Troldesh

First seen in Russia; added English translation to its ransom note to target other countries; aside from appending .xtbl to the file name of the encrypted files, it also encodes the file name, causing affected users to lose track of what files are lost

SYNOLOCK

SynoLocker

Exploits Synology NAS devices' operating system (DSM 4.3-3810 or earlier) to encrypt files stored in that device; has a customer support portal

KRYPTOVOR

Kriptovor

Part of a multi-component infection; aside from its crypto-ransomware component, it has an information stealing component that steals certain files, processes list, and captures desktop screenshot; uses an open source Delphi library called LockBox 3 to encrypt files

CRYPFINI

CryptInfinite, DecryptorMax

Arrives via spam with macro attachment, the spam mail usually pretends to be a job application linked to a Craigslist post; Appends .crinf files

CRYPFIRAGO

Uses Bitmessage for communication with its creators; Appends .1999 or .bleep to files it encrypts

CRYPRADAM

Radamant

May arrive via exploit kits; Appends .rdm to files it encrypts

CRYPTRITU

Ransom32

Known as the JavaScript ransomware

CRYPBOSS

CrypBoss

Appends .crypt to files it encrypts

CRYPZUQUIT

Zuquitache, Fakben

Known as the ransomware-as-a-service (RaaS) malware

CRYPDAP

PadCrypt

Has live chat support for affected users; Arrives via spam

CRYPHYDRA

HydraCrypt

Based on leaked source code of CrypBoss; Arrives via spam

LOCKY

Locky

Renames encrypted files to hex values; Appends .locky to files it encrypts; Arrives via spam with macro-embedded .DOC attachment, similar to the arrival of DRIDEX malware

CERBER

Cerber

Encrypts the file name and appends it with .cerber; Drops a .VBS file that makes the computer speak to the victim